In an announcement made by the Office for Civil Rights (“OCR”) at the U.S Department of Health and Human Services, the penalties under the Health Insurance Portability and Accountability Act (“HIPAA”) have been lifted for providers’ use of online applications for scheduling COVID-19 vaccine appointments.
This enforcement discretion is retroactively effective to December 11, 2020. It applies to covered entities and their respective business associates. The vendors that provide the online applications are also covered. This is the case regardless of the vendor having actual or constructive knowledge that they are “business associates” under HIPAA. Those applications or other digital tools that can be directly connected to a covered entity’s electronic health record (“EHR”) are still subject to the penalties under HIPAA.
Amid the pandemic, eligible covered entities, their business associates, and vendors will be allowed to be covered under this temporary immunity as long as the applications are used in good faith and for the sole purpose of scheduling appointments for COVID-19 vaccinations. With that said, OCR encourages providers and business associates to adopt a set of reasonable safeguards. These recommendations are set out below:
Using and disclosing only the minimum protected health information necessary for scheduling an appointment (e.g., an individual's name and phone number).
Using encryption technology to protect protected health information.
Enabling all available privacy settings (e.g., adjusting calendar display settings, as needed, to hide names or show only individuals' initials instead of full names).
Ensuring that storage of any protected health information by the scheduling vendor is only temporary (e.g., the protected health information is returned to the covered health care provider or destroyed as soon as practicable, but no later than 30 days after the appointment).
Ensuring the scheduling vendor does not use or disclose electronic protected health information in a manner that is inconsistent with the HIPAA rules (e.g., does not engage in the impermissible sale of electronic protected health information collected from individuals who attempt to schedule a COVID-19 vaccination).
Extension of the Comment Period for the Proposed Rule Modifying HIPAA Privacy Rule
On March 9, 2021, OCR came out with another update. In its announcement, OCR extended the comment period for the recently proposed changes to the HIPAA privacy rule for another 45 days. This provides the public more time to comment on the rule until May 6, 2021.
The proposed revisions to the HIPAA privacy rule aim to eradicate the administrative burdens in care coordination and case management communications and at the same time maintain the privacy of individuals. For example, the proposed changes would enhance flexibilities for disclosures in emergency situations, such as dealing with the COVID-19 pandemic. These revisions are also expected to allow for individuals to access their information in a simplified manner. These revisions, if adopted, would require providers and their EHR vendors to revisit their policies and reshape their EHR systems.
Our Firm has extensive experience counseling employers and businesses on health care regulatory issues, particularly the evolving regulations during the COVID-19 pandemic. If you have any questions related to this Legal Briefing or questions related to COVID-19 reopening rules and procedures, please contact any member of our Firm at 585-730-4773.
For more COVID-19 Legal Updates, please visit our resource page.
This Legal Briefing is intended for general informational and educational purposes only and should not be considered legal advice or counsel. The substance of this Legal Briefing is not intended to cover all legal issues or developments regarding the matter. Please consult with an attorney to ascertain how these new developments may relate to you or your business. © 2021 Law Offices of Pullano & Farrow PLLC